Field Parser
Extracts JSON objects and KV structures from TenXTemplates as named fields.
This process enables TenXObjects to access nested JSON/KV values at runtime as named members.
For an hybrid JSON/plain event whose text value is:
17/06/24 17:38:00 INFO ExecutorRunnable: Prepared Local resources Map(__spark__.jar -> resource
{ scheme: "hdfs" host: "10.10.34.11" port: 9000
file: "/user/curi/.sparkStaging/application_1485248649253_0144/spark-assembly-1.6.0-hadoop2.2.0.jar" }
size: 109525492 timestamp: 1497001131801 type: FILE visibility: PRIVATE)
To increase a counter identified by a JSON field (scheme) value with that of a KV entry (size):
To drop the instance if either a KV entry (e.g., visibility) or JSON field (e.g., port) match a specified value:
Arrays
If a JSON/KV field appears more than once within an TenXObject's text, it can be accessed as an array field to access individual entries (e.g., this.myField[i]).
Configuration
To configure the Field parser unit, Edit these settings.
Below is the default configuration from: fields/config.yaml.
ewogICJ0eXBlIiA6ICJvYmplY3QiLAogICJwcm9wZXJ0aWVzIiA6IHsKICAgICJ0ZW54IiA6IHsKICAgICAgInR5cGUiIDogInN0cmluZyIKICAgIH0sCiAgICAiZmllbGQiIDogewogICAgICAidHlwZSIgOiAib2JqZWN0IiwKICAgICAgImFkZGl0aW9uYWxQcm9wZXJ0aWVzIiA6IGZhbHNlLAogICAgICAicHJvcGVydGllcyIgOiB7CiAgICAgICAgImV4dHJhY3QiIDogewogICAgICAgICAgInR5cGUiIDogWwogICAgICAgICAgICAiYm9vbGVhbiIsCiAgICAgICAgICAgICJzdHJpbmciCiAgICAgICAgICBdLAogICAgICAgICAgIm1hcmtkb3duRGVzY3JpcHRpb24iIDogIlNjYW4gVGVuWFRlbXBsYXRlIGZvciBuZXN0ZWQgSlNPTiBvYmplY3RzIG9yIGtleS12YWx1ZSBsaXN0c1xuXG5Db250cm9scyB3aGV0aGVyIHRvIHNjYW4gVGVuWFRlbXBsYXRlcyBmb3IgSlNPTiBvYmplY3RzIG9yIGtleS12YWx1ZSBsaXN0cyAoZS5nLiwgYHtcInByaWNlXCI6IDEwfWAgb3IgYHByaWNlPTEwYCkuIFRlblhPYmplY3RzIGluc3RhbmNlcyBvZiB0aGlzIHRlbXBsYXRlIHdpbGwgcHJvdmlkZSBhY2Nlc3MgdG8gdGhlc2UgZmllbGRzIGFzIG5hbWVkIG1lbWJlcnMgKGUuZy4sIGB0aGlzLnByaWNlYCkuIElmIGEgZmllbGQgYXBwZWFycyBtb3JlIHRoYW4gb25jZSBpbiBbdGV4dF0oaHR0cHM6Ly9kb2MubG9nMTB4LmNvbS9hcGkvanMvI1RlblhCYXNlT2JqZWN0K3RleHQpIGl0IGlzIGFjY2Vzc2libGUgYXMgYW4gYXJyYXkgKGUuZy4sIGB0aGlzLnByaWNlWzFdYCkuIChBY2NlcHRzIGJvb2xlYW4gb3Igc3RyaW5nIHdpdGggJD0gcHJlZml4IGZvciBydW50aW1lIGV2YWx1YXRpb24pIChEZWZhdWx0OiB0cnVlKSIsCiAgICAgICAgICAiZGVmYXVsdCIgOiB0cnVlCiAgICAgICAgfSwKICAgICAgICAibmFtZUJyZWFrcyIgOiB7CiAgICAgICAgICAidHlwZSIgOiBbCiAgICAgICAgICAgICJzdHJpbmciLAogICAgICAgICAgICAibnVsbCIKICAgICAgICAgIF0sCiAgICAgICAgICAibWFya2Rvd25EZXNjcmlwdGlvbiIgOiAiS1YgZmllbGQgbmFtZSB0ZXJtaW5hdG9yIGNoYXJzXG5cbkNvbnRyb2xzIHdoaWNoICd0ZXh0JyBjaGFyYWN0ZXJzIGxlZnQgb2YgYSBjYW5kaWRhdGUgdG9rZW4gZm9yIGJlaW5nIGEgJ2tleScgaW4gYSBLViBmaWVsZCBmb3JtYXRpb24gc2hvdWxkIHNlcnZlIGFzIGEgdGVybWluYXRvciBmb3IgdGhlIHNlYXJjaC4gICBGb3IgZXhhbXBsZSwgZm9yIGFuIFRlblhPYmplY3Qgd2hvc2UgW3RleHRdKGh0dHBzOi8vZG9jLmxvZzEweC5jb20vYXBpL2pzLyNUZW5YQmFzZU9iamVjdCt0ZXh0KSBjb250YWlucyB0aGUgZm9sbG93aW5nIGVudHJ5ICcsdHhfcmVzdWx0PU9LJywgdGhlIGRlc2lyZWQga2V5IHNob3VsZCBiZSAndHhfcmVzdWx0JywgYW5kIHNvIHRoZSBuYW1lIHRlcm1pbmF0b3IgY2hhcmFjdGVyIHNob3VsZCBiZSAnLCcgdnMuICdfJyAoaW4gd2hpY2ggY2FzZSB0aGUga2V5IHdvdWxkIGhhdmUgYmVlbiBuYW1lZCAncmVzdWx0JykuIChEZWZhdWx0OiAsIC9cXHt9LigpW10pIiwKICAgICAgICAgICJkZWZhdWx0IiA6ICIsIC9cXHt9LigpW10iCiAgICAgICAgfSwKICAgICAgICAidmFsdWVCcmVha3MiIDogewogICAgICAgICAgInR5cGUiIDogWwogICAgICAgICAgICAic3RyaW5nIiwKICAgICAgICAgICAgIm51bGwiCiAgICAgICAgICBdLAogICAgICAgICAgIm1hcmtkb3duRGVzY3JpcHRpb24iIDogIktWIGZpZWxkIHZhbHVlIHRlcm1pbmF0b3IgY2hhcnNcblxuQ29udHJvbHMgd2hpY2ggY2hhcmFjdGVycyBmb3VuZCB0byB0aGUgcmlnaHQgb2YgYSB0b2tlbiB3aG9zZSBpcyBhIGNhbmRpZGF0ZSBmb3IgYmVpbmcgYSAndmFsdWUnIGluIGEgS1YgZmllbGQgZm9ybWF0aW9uIHNob3VsZCBzZXJ2ZSAgYXMgYSB0ZXJtaW5hdG9yIGZvciB0aGUgc2VhcmNoLiAgIEZvciBleGFtcGxlLCBmb3IgYW4gb2JqZWN0IHdob3NlIFt0ZXh0XShodHRwczovL2RvYy5sb2cxMHguY29tL2FwaS9qcy8jVGVuWEJhc2VPYmplY3QrdGV4dCkgZmllbGQgY29udGFpbnMgdGhlIGZvbGxvd2luZyBlbnRyeTogJ3N0YXR1cz1SRVNVTFRfU1VDQ0VTUycgdGhlIGRlc2lyZWQgS1YgdmFsdWUgIHNob3VsZCBiZSAnUkVTVUxUX1NVQ0NFU1MnLCBhbmQgYXMgc3VjaCB0aGUgdmFsdWUgdGVybWluYXRvciBjaGFyYWN0ZXIgIHNob3VsZCBiZSAnLCcgdnMuICdfJyAoaW4gd2hpY2ggY2FzZSB0aGUgdmFsdWUgd291bGQgYmUgJ1JFU1VMVCcpLiAoRGVmYXVsdDogL1xce30oKVtdKSIsCiAgICAgICAgICAiZGVmYXVsdCIgOiAiL1xce30oKVtdIgogICAgICAgIH0KICAgICAgfQogICAgfQogIH0sCiAgImFkZGl0aW9uYWxQcm9wZXJ0aWVzIiA6IGZhbHNlCn0=
# 🔟❎ 'run' TenXTemplate field extract configuration
# Configure how to extract JSON objects and KV structures from TenXTemplates.
# To learn more see https://doc.log10x.com/run/transform/fields/
# Set the 10x pipeline to 'run'
tenx: run
# =============================== Extract Options =============================
field:
# 'extract' controls whether to scan TenXTemplate for JSON
# objects or key-value lists (e.g., 'X=Y').
extract: true
# 'nameBreaks' controls which characters found to the left of a token
# whose is a candidate for being a 'key' in a KV field formation should serve
# as a terminator for the search. For example, for an object whose 'text' field
# contains the following entry ',tx_result=OK' the desired key name should be 'tx_result'
# and as such, the name terminator character should be ',' vs. '_' (in which case
# the key would have been named 'result').
nameBreaks: ', /\{}.()[]'
# 'valueBreaks' controls which characters found to the right of a token
# whose is a candidate for being a 'value' in a KV field formation should serve
# as a terminator for the search. For example, for an object whose 'text' field
# contains the following entry: 'status=RESULT_SUCCESS' the desired KV value
# should be 'RESULT_SUCCESS', and as such, the value terminator character
# should be ',' vs. '_' (in which case the value would be 'RESULT').
valueBreaks: ', /\{}()[]'
Options
Specify the options below to configure the Field parser:
| Name | Description |
|---|---|
| fieldExtract | Scan TenXTemplate for nested JSON objects or key-value lists |
| fieldNameBreaks | KV field name terminator chars |
| fieldValueBreaks | KV field value terminator chars |
fieldExtract
Scan TenXTemplate for nested JSON objects or key-value lists.
| Type | Default |
|---|---|
| Boolean | true |
Controls whether to scan TenXTemplates for JSON objects or key-value lists (e.g., {"price": 10} or price=10).
TenXObjects instances of this template will provide access to these fields as named members (e.g., this.price).
If a field appears more than once in text it is accessible as an array (e.g., this.price[1]).
fieldNameBreaks
KV field name terminator chars.
| Type | Default |
|---|---|
| String | , /\{}.()[] |
Controls which 'text' characters left of a candidate token for being a 'key' in a KV field formation should serve as a terminator for the search.
For example, for an TenXObject whose text contains the following entry ',tx_result=OK', the desired key should be 'tx_result', and so the name terminator character should be ',' vs. '_' (in which case the key would have been named 'result').
fieldValueBreaks
KV field value terminator chars.
| Type | Default |
|---|---|
| String | /\{}()[] |
Controls which characters found to the right of a token whose is a candidate for being a 'value' in a KV field formation should serve as a terminator for the search.
For example, for an object whose text field contains the following entry: 'status=RESULT_SUCCESS' the desired KV value should be 'RESULT_SUCCESS', and as such the value terminator character should be ',' vs. '_' (in which case the value would be 'RESULT').
This unit is defined in fields/unit.yaml.